The Rise of Identity Security Threats

July 18, 2023

Identity-based attacks are on the rise. Research sponsored by the Identity Defined Security Alliance (IDSA) found that 79% of respondents had an identity-related breach within the past two years. In fact, identity compromise and misuse are central to almost every cyberattack. Malicious actors no longer need to breach a firewall to enter a network; they just need to compromise an identity.

 

 

How are threat actors targeting today’s organizations?

Identity-based attacks make use of compromised credentials, over-privileged users and gaps in visibility. They exploit hidden attack paths that are harder to detect than traditional code-based exploits. As such, threat actors are highly motivated to exploit the identity sprawl caused by cloud adoption, the proliferation of non-human accounts and the use of disparate systems to manage identities.

 

Attackers have been quick to apply the well-known “land and expand” techniques to these environments. They capitalize on the lack of visibility and lack of unified identity telemetry many organizations experience regarding cloud/multi-cloud and hybrid environments.

 

 

The problem with identity: it makes for a near-foolproof disguise

Distinguishing between how a legitimate user is leveraging an identity and the misuse of that identity by an unauthorized user is often nearly impossible. By compromising an identity, a threat actor can essentially impersonate a user to access resources, compromise systems, move laterally and compromise further identities to gain higher levels of access and privilege.

 

The most pervasive factor preventing organizations from effective identity-related risk mitigation is a lack of continuous visibility of identities across all systems, especially on rapidly expanding cloud systems. Even for known identities, there is a lack of understanding around the privileges and entitlements associated with identities. This problem is then compounded by dynamic environments where new users, systems and integrations are constantly creating new attack paths on top of existing misconfigurations that can mask the activity of threat actors.

 

 

What is the best strategy for stopping an identity-based attack?

Today, organizations need to identify, eliminate and audit attack paths in their dynamic, modern IT environments. These are all keys to reducing the attack surface, uncovering unknown risks and remediating incidents independently from malicious code detection.

 

Identity Threat Detection and Response (ITDR) represents a significant opportunity to accomplish these security objectives, bridging the gap between IAM and security teams. By combining cyber threat intelligence, detection, investigation and response in one security discipline, organizations are much better poised to defend their identity infrastructures.

 

 

How can you stop an identity-based attack with ITDR?

The best strategy is to layer up an integrated ecosystem that helps you proactively reduce your attack surface. Here’s how to build an ITDR response that can stop an attack in its tracks:

 

1. Build a strong foundation.
Without getting the basics right, you risk undermining your own investment. Before you start chasing the next-gen, cyber buzzword, ensure that you have visibility and control of the devices and software that make up your identity infrastructure, and make sure that these are following good practices. After all, you don’t want an unpatched domain controller to be exploited and undermine your efforts.

 

2. Ensure you have good visibility and control over identities and access.
In so many identity security breaches that hit the headlines, a threat actor was able to compromise an over-privileged user and use VPN access to move laterally, elevate privileges further and cause widespread damage without needing to write an exploit. This is where identity governance, identity lifecycle management, privileged access management and cloud infrastructure entitlements management all come into play.

 

3. Build in practices to continuously audit the controls you have in place following best practices, and to ensure gaps or shadow infrastructure are not emerging.
The challenge here can be how to gain visibility into all identities while being proactive and ensuring best practices are being followed — especially when you have a range of disparate systems across cloud and on-premise. While you can try and script this, manually trawl through systems and data looking for misconfigurations, or buy point solutions that focus on things like AD hardening, this can be very resource intensive and can still fail to keep pace with threats in increasingly dynamic environments.

 

Tools like identity security insights from BeyondTrust are designed to be an additional layer of intelligence that integrates into your ecosystem and exchanges data to automatically give you that unified view of identity and provide recommendations that can be used to proactively reduce risk.

 

4. Layer on detection.
Once you have those solid foundations in place, you can layer on detection to take your identity security program to the next level. This allows you to bridge the gaps between identity and access management (IAM) solutions and SOC tools.

 

Again, you can try to bridge this gap yourself by feeding identity data into SIEM and XDR tools, but these often lack the depth of visibility into an identity. For example, what level of privilege and access does the identity have in the event of a successful MFA fatigue attack? Does this identity have access to other delegated or machine accounts that could inflict significant damage?

 

Lean into tools that can provide you with a level of insight and intelligence that can help you answer these questions quickly to find and contain the blast radius of a compromised identity.

 

With this in place, you now have the visibility of identities and the capability to respond, so look for the tools, signals and integrations that will allow you to reactively detect and respond to identity security threats in as automated a manner as possible. Look to build out identity security Indicators of attack/compromise and utilize user behavioral analysis to better detect attacks as a secondary layer of defense.

 

5. Build your playbook
Finally, build out your identity threat playbook so you know how to respond to identity threats and can automate as much as possible.

James Maude
Lead Cyber Security Researcher | BeyondTrust
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.